How organizations should approach cloud security

May 25, 2011

A recent Gartner survey in India revealed that the top three concerns that organizations had with cloud services were: 1) Security concerns around data residing in a third party’s data center 2) Concerns with the reliability of cloud services and 3) Maturity of vendor offerings. Organizations have consistently cited data security considerations as the top barrier to cloud adoption, across geographies, verticals and company sizes. Of course, the discrete considerations and concerns within the larger scope of data security will depend on the size of the organization, criticality of the cloud workload to the business, regulatory/ compliance issues and type of service deployed in the cloud.

While there is significant hype around security issues as a barrier to cloud adoption, deciding whether a particular cloud provider is ‘secure enough’ is often a relative decision rather than an absolute one. Every provider is likely to have different underlying infrastructure, security policies and SLA’s and the onus is on the end user of the cloud service to map their security policies to what is on offer and whether it meets their requirements. In this scenario organizations should seriously consider deploying some form of third party cloud security and management tools that help end users assess and maintain a security view of the various applications or data they have deployed in the public cloud.

From an overall organizational perspective, alignment of the cloud service deployment to traditional IT processes and business units is essential. IT security policies and processes often link into larger business critical processes and it is important to review and assess audit, incident response, governance and compliance policies from a forward looking perspective.

Of course, the security implications and considerations can vary depending on type of service consumed. For example, even if an organization utilizing non critical SaaS applications is subjected to a security breach at the provider location, the impact is relatively localized and may not be able to impact the other in house applications and data that is critical to the business. However, organizations utilizing cloud IaaS to directly support or enable some part of the business will have to be more careful and stringent while selecting a cloud provider, with different SLA’s and performance guarantees. From an IaaS perspective, a majority of commodity public cloud providers have negligible remediation and SLA’s in case of disruption of service. However, some IT vendors turned cloud IaaS providers such as Fujitsu, HP and IBM are turning their focus to the enterprise segment and are in a position to offer better performance guarantees, albeit at an increased cost.

The other side of the equation is that cloud computing may actually increase the IT security mechanisms of smaller organizations, while simultaneously enabling net new business growth. While a large proportion of cloud providers today offer very little in terms of granular performance driven SLA’s, the actual IT security tools and firewalls deployed within may in fact have cost the organization a lot more to deploy if it had been in house.
One of the key issues that often confuses would-be cloud adopters is: What is the difference between security considerations in a cloud environment vs a traditional hosting environment? While it is true that organizations with mature vendor management, audit and patch management processes will certainly be able to adapt to cloud security policies faster than others, there are distinct cloud specific security considerations that need to be taken into account as well. Essentially, cloud users need to understand that the shared hardware multi tenant model of cloud computing (IaaS in particular) means that they relinquish more control to the cloud provider than they did to their hosting provider. Also, the changes that the cloud provider makes to its hardware or software infrastructure policies are in most cases not known to the end users. Organizations planning to utilize public cloud services should ensure that they get as much visibility as possible into the provider’s infrastructure, negotiate custom SLA’s for their deployments where possible and ensure that their organizational IT security policies cater for the potential risk of a data breach in the cloud

Overall, cloud security encompasses many different cloud deployment models and services and while it is easier for organizations to come up with individual security policies for each deployment, it is prudent for them to start thinking about a more comprehensive organization wide strategy for tackling future deployments of cloud services as well. Through 2015, as organizations start using public clouds as an enabler or even a key component of critical business processes, these unified cloud security policies will need to evolve in response to market dynamics and technology changes.

Source How organizations should approach cloud security

%d bloggers like this: